CVE-2017-12615
HIGH8.1⚠ KEVEPSS 94.2%When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server
發布日:2018/10/17修改日:2025/10/22加入 CISA KEV 日:2022/3/25
描述
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
受影響套件(1)
- Maven/org.apache.tomcat.embed:tomcat-embed-core>= 7.0.0, < 7.0.79
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
參考連結(28)
- ADVISORYhttps://github.com/advisories/GHSA-pjfr-qf3p-3q25
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-12615
- WEBhttp://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
- WEBhttps://access.redhat.com/errata/RHSA-2017:3080
- WEBhttps://access.redhat.com/errata/RHSA-2017:3081
- WEBhttps://access.redhat.com/errata/RHSA-2017:3113
- WEBhttps://access.redhat.com/errata/RHSA-2017:3114
- WEBhttps://access.redhat.com/errata/RHSA-2018:0465
- WEBhttps://access.redhat.com/errata/RHSA-2018:0466
- WEBhttps://github.com/breaktoprotect/CVE-2017-12615
- WEBhttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://security.netapp.com/advisory/ntap-20171018-0001
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615
- WEBhttps://www.exploit-db.com/exploits/42953
- WEBhttps://www.synology.com/support/security/Synology_SA_17_54_Tomcat
- WEBhttp://www.securityfocus.com/bid/100901
- WEBhttp://www.securitytracker.com/id/1039392